The Most Common Bad Password for Smart Devices? No Password At All

February 1 2021 (SAN JOSE, Calif.) - According to Avira's IoT research team, 34% of all cyber attacks on smart devices occur because there are no password credentials set at all. In these IoT attacks, hackers focus on a known vulnerability in a smart TV or smart camera, for example, and try different username/password combinations to crack into the device. The "blank input fields" combination is significantly higher than the number of attacks with other popular username/password combinations, suggesting that many smart devices have blank - and thus easily crackable - credentials.

"The most common credentials used by IoT attacks consist of a blank field. We found this via the Avira smart device honeypot. At the same time, this means that the attackers or their automated scripts do not enter a username or password to access the device," said Imran Khan, Manager Protection Labs & IoT Research Lab at Avira. "A blank password is even more common than the “admin” password," Khan continued. 

Having empty fields for username/password combinations tops among all the total combinations, even more often than the collection of timeless bad password classics (24%) such as“ admin | admin "," support | support ” and“ root | root " and sum of all default credentials (22%) of many smart devices "as root | solokey ”and“ admin | ipcam_rt5350”. 

Password Advice for Smart Device Owners 

Device manufacturers and developers are primarily responsible for addressing potential security vulnerabilities of smart devices such as insecure default credentials. Nevertheless, device owners can take action themselves to make their smart devices more secure. However, the following steps require the user to be a little more technically savvy.  

• The user manual states how to access the user interface of a smart device such as a camera via the PC. There, the insecure default password can be changed to a secure password. However, this is not so easy to implement on all devices. 

• Find out online about the known potential security gaps in your device. Many YouTube videos now offer tutorials on this. 

• Check for firmware updates for your device to fix any known vulnerabilities or problems with your device. 

• Scan your network for open ports that could attract uninvited hackers. 

• Finally, since all smart devices are connected via the router in the WLAN, it is important to secure the router itself. Avira recently compiled a collection of tips on how to improve router security.  

The Avira Honeypot  

The specialists from Avira arrived at the above-mentioned findings by means of a so-called honeypot.  Honeypots are a fixed strategic component in the fight against cyber attacks. They enable researchers to attract hackers in order to uncover their latest techniques and preferred targets of attack. 

This honeypot mimics the functions and behaviour of online devices such as routers and smart IoT devices to attract hackers. It makes itself visible on the internet as a supposedly vulnerable device, using three of the most common protocols used by smart devices: Telnet, Secure Shell and Android Debug Bridge.  

### 

Press contact:  James Griffiths, james.griffiths@avira.com